jr conlin's ink stained banana

In case you don't know, i'll take a moment to remind you that Firesheep is in the wild and sniffing your packets. This means that anyone sitting at a McDonalds, Starbucks or any other open wireless site can sniff your credentials.

Ok, that's not 100% accurate. It's only people on your immediate network (the folks all sharing the access point), and they can only pull the unsecure cookie that most sites use to log you in, but it's still an issue, and frankly has been one for years, but Firesheep makes it a lot easier now.

So, what to do? Well, there's a few options:
Best
If you have access to a VPN, use it. (i'll note that Dreamhost offers one as a $20 upgrade, meaning the minimum price is around $30 a month. i'd appreciate the referral if you do sign up.).

The clients support Windows and Mac and with a little effort, other devices too. There are other cheaper VPN providers out there as well, so it is something to consider.

Better
Install and run OpenVPN. This requires a good deal of effort, however, and is limited to the upload speed of whatever host you've attached to (since request data is proxied through that host). That can lead to less than appealing speeds if you're trying to stream a movie before a flight.

Good
i'm a huge fan of ssh proxies, but i completely understand why they suck for most folks. Basically, you're creating your own little VPN via a ssh connection to a remote server, and then very carefully routing your requests through that tunnel. For web requests, that's fairly easy to do. i use the free ssh service my hosting provider offers and route traffic through that.

Just create a ssh .config file with the following info in it:
Host proxy
HostName The Host You're Connecting To
User Your user name
DynamicForward 8080

If you're using Firefox, you can grab a copy of FoxyProxy which will make setting your proxy up a lot easier. If not, you'll have to go into your browser's PreferencesSettings, find the Network settings, and set the Connection Proxy type to use a SOCKS connection pointing to localhost, port 8080. (make sure to remove localhost and 127.0.0.1 from any list of hosts to ignore)

Then, ssh to your remote host using the name "proxy" (e.g. $ ssh proxy ). Once you're ssh is running, all your web traffic will go through the tunnel. Mail and other apps won't, though, so you should still be cautious about those.

Ok, it's been a bit but i wanted to talk a bit about that whole "Facebook App Developers are leaking personal information" thing that was all the buzz a while ago.

Yes, i'm a privacy fanatic of the highest degree, but i don't think that Zynga or any other partner out there was at fault on this one.

Why? Because Facebook blew it.

Facebook has had at least three different ways that external applications can get Your Info. The nice bit is that you don't have to be logged in necessarily to get it, but you do need one key bit of info. Allow me to demonstrate using the latest Facebook API, the Open Graph.

The basic premise is that you call "http://graph.facebook.com/{id}/" and get some stack of information that the user has shared. Here's mine as an example: http://graph.facebook.com/745051744 If you click on that, you'll see the public bits of my facebook information. Granted, anyone can suss those bits of info out, and that's not where Facebook blew it.

No, the place that Facebook blew it is by demanding that the User's ID (the 745051744 bit) has to be private. It's not. In fact, Facebook sprays it around like you repeated your social security number on your last loan application. It's the fulcrum point to identify a user, and has been through each iteration of the API. The single constant that can and is shared between third parties to identify me, and as i demonstrated above, anyone can get access to your public data via it. It's used by the Single Login widgets, Like buttons, and everything else on the planet that wants you to think you're a unique and beautiful snowflake.

i'll note that earlier versions of the API were horrific in that you could also get your friends, thus with one or two IDs (and a nod to Kevin Bacon), i could get nearly every single Facebook user.

Of course external parties are going to exchange it. It's how they know you're you regardless of who they're talking to. Just like i can harvest thousands of them by simply putting up an iFrame "app". Facebook can send an outrageous amount of information with each request for that page, easily parsed up and ready for whatever site wants to consume it.

Here's a sample result from my log:
adsl-xx-xx-xx-xx.dsl.sntc01.pacbell.net - - [25/Oct/2010:15:40:21 -0700] "GET /fb/blank.php/?fb_sig_in_iframe=1&fb_sig_base_domain=netflix.com&fb_sig_locale=en_US&fb_sig_in_new_facebook=1&fb_sig_time=1288046424.9302&fb_sig_added=1&fb_sig_profile_update_time=1244827892&fb_sig_expires=1288051200&fb_sig_user=745051744&fb_sig_session_key=2.fTTfxgIBwwxn_Jc2_pIGnQ__.3600.1288051200-745051744&fb_sig_ss=H68T8bikxFlHAJb_80vSyg__&fb_sig_cookie_sig=e257457ad0f76354d5c008054d2e1a23&fb_sig_ext_perms=status_update%2Cphoto_upload%2Cvideo_upload%2Ccreate_note%2Cshare_item%2Cpublish_stream%2Cuser_birthday%2Cuser_religion_politics%2Cuser_relationships%2Cuser_relationship_details%2Cuser_hometown%2Cuser_location%2Cuser_likes%2Cuser_activities%2Cuser_interests%2Cuser_education_history%2Cuser_work_history%2Cuser_online_presence%2Cuser_website%2Cuser_groups%2Cuser_events%2Cuser_photos%2Cuser_videos%2Cuser_photo_video_tags%2Cuser_notes%2Cuser_about_me%2Cuser_status%2Cfriends_birthday%2Cfriends_religion_politics%2Cfriends_relationships%2Cfriends_relationship_details%2Cfriends_hometown%2Cfriends_location%2Cfriends_likes%2Cfriends_activities%2Cfriends_interests%2Cfriends_education_history%2Cfriends_work_history%2Cfriends_online_presence%2Cfriends_website%2Cfriends_groups%2Cfriends_events%2Cfriends_photos%2Cfriends_videos%2Cfriends_photo_video_tags%2Cfriends_notes%2Cfriends_about_me%2Cfriends_status&fb_sig_country=us&fb_sig_api_key=...&fb_sig_app_id=...&fb_sig=366323fdb20a067cc72c779816ddb722 HTTP/1.1" 200 1056 "http://apps.facebook.com/netflixupdates/" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b8pre) Gecko/20101025 Firefox/4.0b8pre"

i don't have a lot of those fields spelled out, but imagine if i did. Again, this is a page, running on my private server, that was embedded as an iFrame. (i've since removed it.)

Mind you, even the new Encrypted ID method doesn't really solve the problem either, since all it does is hide the ID and all the other crap inside an encrypted packet. The same, unique ID that identifies You. The same, unique token that's an obvious index and that everyone is currently in such a tizzy about. Because how the hell else am i going to identify a Facebook user on my site if i want to do something like keep state data associated with your account? If Facebook REALLY wanted to solve this problem, they'd make the unique id less useful. A simple hash of the application key plus the user id tossed through a light weight encrypter like BlowFish could have generated a nice completely opaque id that would be unique per app and user, but they didn't. Instead they pretty much said, "Yeah, that id we use for everything, you can't use it." and brought down the ban hammer on companies for doing something obvious. Which, frankly, is naive as hell.

Facebook? The cat's out of the bag, the genie is out of the bottle, and the train has left the station on this one. Facebook IDs are and will most likely continue to be public information. Hell, anyone with a Perl script and a bot farm can easily pound through the sequentially numbered IDs and get the "user information" that Zynga and the rest were sending 'round, and don't believe for a second that folks haven't already done that.

Honestly, Zynga passing around that information is not the farmville i'd be most concerned about, but then, that's why i don't stay logged into facebook or really store a lot of data there.

As a bit of a follow up to yesterday's post, here's how to get the 64 bit flash library working correctly.

1. Get thee to to Adobe Labs and grab the latest Flash 10 library.
2. Make sure you have uninstalled the nswrapper libraries, flashplugin-nonfree & flashplugin-installer
3. remove any old instances of libflashplayer.so from /usr and ~/.mozilla (i prefer
   $ sudo find /usr -name libflashplayer.so -delete but feel free to use whatever you like. (Note: depending on how you've configured Chrome, it may look for libflashplayer.so under the ~/.mozilla directory.)
4. extract the new libflashplayer.so $ tar -zxvf flashplayer_square_p2_64bit_linux_*.tar.gz
5. sudo cp libflashplayer.so /usr/lib/firefox/plugins/
   
   Uncommon locations
   i'm not sure why there's no common location for plugins yet. Most browsers use /usr/lib/{browser}/plugins, but that means common plugins like flash get duplicated. Duplicate objects are bad. For what it's worth, i've instigated /usr/lib/plugins and installed flash there, with a soft link in /usr/lib/firefox/plugins.
6. Depending on what other things are installed, you may also wish to:
   $ cd ~/.mozilla/plugins
   $ ln -s /usr/lib/firefox/plugins/libflashplayer.so
7. Restart browsers and you should be good to go.

Fortunately, it's not terribly difficult to do this. Basically, you need to remove the "helpful" bits from the 32bit wrappers and just go 64 bit. For what it's worth i've also noticed that things are not only faster on start but also a bit more stable.

As anyone with more than 3.4 GB of memory installed will tell you, 64 bit installs can be kind of a pain sometimes. What's made things even more fun (for occasionally small values of fun) is the fact that if you like to live beneath the bleeding edge of things (or more properly are the bleeding part of the edge), things doubly suck because you have to run around a fair bit to get them.

Well, put away those track shoes kids, time for Uncle JR to help you out.

Like you (most likely) i was coming from a pre-install of Firefox. Since i'm a mozilla fan boy of some legacy, i had a fairly bodged together set of extensions, libraries and other what not. Let me be the first to tell you, most of that will have to go. In fact, what you'll be doing will be starting reasonably fresh, but the good news is that you're not going to lose a lot in the move.

Let's get started, shall we?

Much like a good cook, proper preparation will set you free. You're going to need to make sure you have the following installed. (Feel free to do so using whatever installation package you prefer. i prefer synaptic, but that's just me.)

• git
• mercurial
• perl

Also make sure you have Firefox weave Sync installed.

The Steps

1. install and set up Sync (make sure to back up at least bookmarks and passwords, i prefer to have it handle everything, but that's up to you.) Once you've got it loaded, make sure to "Sync Now". It should only take around 30 seconds to finish.
2. In addition, you'll probably want to do the same for personalized extensions like Adblock and GreaseMonkey.
   For AdBlock Plus:
   1. Go to Tools | Adblock Plus Preferences…
   2. Pick Filters | Export custom filters…
   3. i recommend dumping them to something like "$DESKTOP/adblock_filters.txt"
3. grab the nightly build.
4. install into new directory. This will be a tarball rooted to "./firefox". i actually recommend untarring to something like "~/install" and then moving "~/install/firefox" to something like "~/Programs/firefox4".
5. Firefox, while able to use multiple profiles, kinda sucks at it. When it starts, it consults ~/.mozilla/firefox/profiles.ini (regardless of what version you have) and looks for the profile that's has "Default=1". The best way to go is to simply Start Fresh. The good news is that it's fairly easy to do this. So easy, there's two ways to do it:
   You can either:
   Create a new sub directory under your mozilla profiles (You do store your mozilla profile info on a TrueCrypt drive so that when your computer is stolen, bad guys can't get your stored passwords and other info, right?) called something like "ff4.profile"

   or

   In your new firefox4/bin directory:

   • $ ln -s firefox-bin firefox.bin-pure
     (i have no idea why firefox doesn't do this, or requires firefox.bin-pure, but it's easy to get around.)
   • $ firefox -p
     And create a new profile.
6. There's also the matter of Flash. This is also fairly straight forward now that Adobe is providing a 64 bit client for Linux. i'll go on about how to fix that up in a different post.
7. Once that's done, there's the matter of setting up the launch links. i have two, and as i noted earlier, Firefox tends to be a touch "helpful" about auto-picking what profile to use. In order to fix that helpful behavior, you can create a menu link with the following Command:
   $INSTALL_PATH/firefox4/firefox –profile $PROFILE_PATH/profile.ff4
   This will force firefox to use that specific profile when it starts up, regardless of what your profile.ini says. You may want to consider creating a version for Firefox 3.* as well, having it point to your old profile.
8. Now that things are set-up, start Firefox 4. (remember to point it at the brand new profile!)
9. Resync, using Tools | Set up sync…
   For what it's worth, this will add a new entry for your new configuration. Be sure that for your first sync, you have it overwrite your local values. This is specified via the Options button on the second screen. Syncing takes less than 30 seconds on my computer, and probably a lot less on yours.
10. Believe it or not, but you should be good to go at this point. Sync is pretty darn spiffy that way. You'll still have to log into various services because the cookies won't be present, but that's not a big deal, and thanks to Sync, your accounts and passwords should have been moved over as well.

Of course, if you're like me, there's some things you can't live without. Here's how to get those running. (Note: Most of these are also nightly or beta builds, so some additional steps are going to be required. You're going to need to at least compile these into .xpi packages to make installing easier.)

1. adblock
   1. Grab the source tree using the steps provided.
   2. run create_xpi.pl
   3. install by dragging the xpi onto the about:addons page.
   4. You can then re-import the "adblock_filters.txt" file from before.
2. greasemonkey
   1. Grab the source using the steps provided.
   2. You may need to fix build.sh (and convert to unix line encoding)
   3. run build.sh to generate the .xpi
   4. install
   5. You can copy over the various greasemonkey scripts from the original firefox profile gm_scripts directory, but i'd also recommend looking over those to see what you need.
3. Firebug
   Just get the latest (currently 1.7x.0a4, but your mileage will vary).
4. OneTrueFan
   because the old MBL crew works on it and it should be necessary.

Do that and you're ready to roll.

Pretty straight forward, huh?

(Ok, yeah. But for folks running a 64 bit version of a fringe OS, that's actually pretty simple.)

Another "Future Notes from Me:", but you might find this useful too. These are in no particular order, but serve as further guidelines:

1. Go with your instinct
There's probably a good reason if the company you joined has a high turn over rate.

2. Compensation is a flower wrapped cudgel
If someone is willing to over pay you, there's a reason. Know the reason (and don't presume it's because you're just that good).

3. Learn new things, but not at the expense of old skills
If you're a focused expert, this isn't a problem, but if you're a generalist like myself, it sure as hell is. Keep fluent in old languages and tools. Watch the market and see what folks are using.

4. Grow your Network
The #1 most important asset you have is your group of peers. Never, ever forget that.

5. Don't join on expectation
Make sure that the position you're being hired for exists. It may not be public yet, but it's definitely there and there are both resources and business plans that have been set aside for it. Do not join if you're told "We need you for X, but we'd like to get you started by doing Y for a few months."

6. Have an exit strategy
Positions, departments and even companies change focus. Sometimes, rather abruptly. If your position were to go away next week, is there something else you could do? If not, is there somewhere else you could go? Always have a "Plan B".

7. Return in Kind
Be loyal to a company that recognizes it. Be open to a company that communicates. (Actually, this is my personal philosophy as well. i always start on the positive, but happily return negative if that's what you insist.)

8. PR is cheap
Judge a company not upon it's words, but upon it's actions. (Sadly, this is the most difficult part to discover until you're part of a company, but it does play into #1)

9. Be an effective interviewer
Don't forget that you're also seeing if the company is good for you. Ask questions of the employees about where they work. The lower ranked employees will probably give the best answers. (Note, if you're an executive and you don't talk to at least one guy in the trench, you're a fool. Those are the folks actually making your department/section/company run.)

10. Don't lose your voice
If you are a communicator (someone who likes to talk, tweet, blog, etc.) and the company asks you to stop doing that, there's a problem. If you're asked to have all of your comments reviewed by marketing, legal, or management, there's a problem. Mind you, if you're a dope and divulge proprietary information, insult employees, or leak upcoming services, then you deserve to have those problems. If you're doing something like noting your association with a given released product, acknowledging issues, or aiding customers with already public information, however, that's a completely different problem.

These also play into the normal, common sense things like:
Make sure the company has a clear business model (other than "be acquired"), that you understand what it is, and that the technology is sound, that departments understand the roles each other group performs and what is and isn't possible, blah, blah, blah.